update the transport client and add integration tests
Closes elastic/elasticsearch#477 Original commit: elastic/x-pack-elasticsearch@8926f6ca44
This commit is contained in:
parent
8511d56a83
commit
9e3bf47a87
|
@ -321,6 +321,7 @@
|
|||
<module>smoke-test-watcher-with-shield</module>
|
||||
<module>shield-example-realm</module>
|
||||
<module>shield-tribe-node-tests</module>
|
||||
<module>shield-client-tests</module>
|
||||
</modules>
|
||||
|
||||
<profiles>
|
||||
|
|
|
@ -0,0 +1,95 @@
|
|||
<?xml version="1.0"?>
|
||||
<!--
|
||||
~ ELASTICSEARCH CONFIDENTIAL
|
||||
~ __________________
|
||||
~
|
||||
~ [2014] Elasticsearch Incorporated. All Rights Reserved.
|
||||
~
|
||||
~ NOTICE: All information contained herein is, and remains
|
||||
~ the property of Elasticsearch Incorporated and its suppliers,
|
||||
~ if any. The intellectual and technical concepts contained
|
||||
~ herein are proprietary to Elasticsearch Incorporated
|
||||
~ and its suppliers and may be covered by U.S. and Foreign Patents,
|
||||
~ patents in process, and are protected by trade secret or copyright law.
|
||||
~ Dissemination of this information or reproduction of this material
|
||||
~ is strictly forbidden unless prior written permission is obtained
|
||||
~ from Elasticsearch Incorporated.
|
||||
-->
|
||||
|
||||
<project name="shield-client-tests"
|
||||
xmlns:ac="antlib:net.sf.antcontrib">
|
||||
|
||||
<import file="${elasticsearch.integ.antfile.default}"/>
|
||||
|
||||
<!-- redefined to work with auth -->
|
||||
<macrodef name="waitfor-elasticsearch">
|
||||
<attribute name="port"/>
|
||||
<attribute name="timeoutproperty"/>
|
||||
<sequential>
|
||||
<echo>Waiting for elasticsearch to become available on port @{port}...</echo>
|
||||
<waitfor maxwait="30" maxwaitunit="second"
|
||||
checkevery="500" checkeveryunit="millisecond"
|
||||
timeoutproperty="@{timeoutproperty}">
|
||||
<socket server="127.0.0.1" port="@{port}"/>
|
||||
</waitfor>
|
||||
</sequential>
|
||||
</macrodef>
|
||||
|
||||
<target name="start-external-cluster-with-plugin" depends="setup-workspace">
|
||||
<ac:for list="${xplugins.list}" param="xplugin.name">
|
||||
<sequential>
|
||||
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
|
||||
<condition>
|
||||
<not>
|
||||
<available file="${integ.deps}/plugins/@{xplugin.name}-${elasticsearch.version}.zip" />
|
||||
</not>
|
||||
</condition>
|
||||
</fail>
|
||||
</sequential>
|
||||
</ac:for>
|
||||
|
||||
<ac:for param="file">
|
||||
<path>
|
||||
<fileset dir="${integ.deps}/plugins"/>
|
||||
</path>
|
||||
<sequential>
|
||||
<local name="plugin.name"/>
|
||||
<convert-plugin-name file="@{file}" outputproperty="plugin.name"/>
|
||||
<install-plugin name="${plugin.name}" file="@{file}"/>
|
||||
</sequential>
|
||||
</ac:for>
|
||||
|
||||
<local name="home"/>
|
||||
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
|
||||
|
||||
<echo>Adding shield users...</echo>
|
||||
<run-script script="${home}/bin/shield/esusers">
|
||||
<nested>
|
||||
<arg value="useradd"/>
|
||||
<arg value="test_user"/>
|
||||
<arg value="-p"/>
|
||||
<arg value="changeme"/>
|
||||
<arg value="-r"/>
|
||||
<arg value="admin"/>
|
||||
</nested>
|
||||
</run-script>
|
||||
<run-script script="${home}/bin/shield/esusers">
|
||||
<nested>
|
||||
<arg value="useradd"/>
|
||||
<arg value="transport"/>
|
||||
<arg value="-p"/>
|
||||
<arg value="changeme"/>
|
||||
<arg value="-r"/>
|
||||
<arg value="transport_client"/>
|
||||
</nested>
|
||||
</run-script>
|
||||
|
||||
<startup-elasticsearch/>
|
||||
|
||||
<echo>Checking we can connect with basic auth on port ${integ.http.port}...</echo>
|
||||
<local name="temp.file"/>
|
||||
<tempfile property="temp.file" destdir="${java.io.tmpdir}"/>
|
||||
<get src="http://127.0.0.1:${integ.http.port}" dest="${temp.file}"
|
||||
username="test_user" password="changeme" verbose="true" retries="10"/>
|
||||
</target>
|
||||
</project>
|
|
@ -0,0 +1,144 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<parent>
|
||||
<artifactId>x-plugins-qa</artifactId>
|
||||
<groupId>org.elasticsearch.qa</groupId>
|
||||
<version>3.0.0-SNAPSHOT</version>
|
||||
</parent>
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<artifactId>shield-client-tests</artifactId>
|
||||
<name>QA: Shield transport client tests</name>
|
||||
<description>Run tests with a Transport Client for communication with a Shield enabled cluster</description>
|
||||
|
||||
<properties>
|
||||
<skip.unit.tests>true</skip.unit.tests>
|
||||
<tests.rest.load_packaged>false</tests.rest.load_packaged>
|
||||
<elasticsearch.integ.antfile>${project.basedir}/integration-tests.xml</elasticsearch.integ.antfile>
|
||||
<xplugins.list>license,shield</xplugins.list>
|
||||
</properties>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.elasticsearch.plugin</groupId>
|
||||
<artifactId>shield</artifactId>
|
||||
<version>${elasticsearch.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-assembly-plugin</artifactId>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-dependency-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>integ-setup-dependencies</id>
|
||||
<phase>pre-integration-test</phase>
|
||||
<goals>
|
||||
<goal>copy</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<skip>${skip.integ.tests}</skip>
|
||||
<useBaseVersion>true</useBaseVersion>
|
||||
<outputDirectory>${integ.deps}/plugins</outputDirectory>
|
||||
|
||||
<artifactItems>
|
||||
<!-- elasticsearch distribution -->
|
||||
<artifactItem>
|
||||
<groupId>org.elasticsearch.distribution.zip</groupId>
|
||||
<artifactId>elasticsearch</artifactId>
|
||||
<version>${elasticsearch.version}</version>
|
||||
<type>zip</type>
|
||||
<overWrite>true</overWrite>
|
||||
<outputDirectory>${integ.deps}</outputDirectory>
|
||||
</artifactItem>
|
||||
|
||||
<!-- commercial plugins -->
|
||||
<artifactItem>
|
||||
<groupId>org.elasticsearch.plugin</groupId>
|
||||
<artifactId>license</artifactId>
|
||||
<version>${elasticsearch.version}</version>
|
||||
<type>zip</type>
|
||||
<overWrite>true</overWrite>
|
||||
</artifactItem>
|
||||
|
||||
<artifactItem>
|
||||
<groupId>org.elasticsearch.plugin</groupId>
|
||||
<artifactId>shield</artifactId>
|
||||
<version>${elasticsearch.version}</version>
|
||||
<type>zip</type>
|
||||
<overWrite>true</overWrite>
|
||||
</artifactItem>
|
||||
</artifactItems>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<!-- integration tests -->
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-antrun-plugin</artifactId>
|
||||
<executions>
|
||||
<!-- start up external cluster -->
|
||||
<execution>
|
||||
<id>integ-setup</id>
|
||||
<phase>pre-integration-test</phase>
|
||||
<goals>
|
||||
<goal>run</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<target>
|
||||
<ant antfile="${elasticsearch.integ.antfile}" target="start-external-cluster-with-plugin">
|
||||
<property name="tests.jvm.argline" value="${tests.jvm.argline}"/>
|
||||
<property name="plugins.dir" value="${plugins.dir}"/>
|
||||
<property name="xplugins.list" value="${xplugins.list}"/>
|
||||
</ant>
|
||||
</target>
|
||||
<skip>${skip.integ.tests}</skip>
|
||||
</configuration>
|
||||
</execution>
|
||||
<!-- shut down external cluster -->
|
||||
<execution>
|
||||
<id>integ-teardown</id>
|
||||
<phase>post-integration-test</phase>
|
||||
<goals>
|
||||
<goal>run</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<target>
|
||||
<ant antfile="${elasticsearch.integ.antfile}" target="stop-external-cluster"/>
|
||||
</target>
|
||||
<skip>${skip.integ.tests}</skip>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>ant-contrib</groupId>
|
||||
<artifactId>ant-contrib</artifactId>
|
||||
<version>1.0b3</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>ant</groupId>
|
||||
<artifactId>ant</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.ant</groupId>
|
||||
<artifactId>ant-nodeps</artifactId>
|
||||
<version>1.8.1</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</project>
|
|
@ -0,0 +1,120 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.shield.qa;
|
||||
|
||||
import org.elasticsearch.ElasticsearchSecurityException;
|
||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
||||
import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
|
||||
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
|
||||
import org.elasticsearch.client.transport.TransportClient;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.plugins.Plugin;
|
||||
import org.elasticsearch.shield.ShieldPlugin;
|
||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
||||
import org.elasticsearch.test.ESIntegTestCase;
|
||||
import org.junit.Test;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||
import static org.hamcrest.Matchers.*;
|
||||
|
||||
/**
|
||||
* Integration tests that test a transport client with Shield being loaded that connect to an external cluster
|
||||
*/
|
||||
public class ShieldTransportClientIT extends ESIntegTestCase {
|
||||
|
||||
static final String ADMIN_USER_PW = "test_user:changeme";
|
||||
static final String TRANSPORT_USER_PW = "transport:changeme";
|
||||
|
||||
@Override
|
||||
protected Settings externalClusterClientSettings() {
|
||||
return Settings.builder()
|
||||
.put("shield.user", ADMIN_USER_PW)
|
||||
.build();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
|
||||
return Collections.singletonList(ShieldPlugin.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testThatTransportClientWithoutAuthenticationDoesNotWork() throws Exception {
|
||||
try (TransportClient client = transportClient(Settings.EMPTY)) {
|
||||
boolean connected = awaitBusy(() -> {
|
||||
return client.connectedNodes().size() > 0;
|
||||
}, 5L, TimeUnit.SECONDS);
|
||||
|
||||
assertThat(connected, is(false));
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testThatTransportClientAuthenticationWithTransportClientRole() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("shield.user", TRANSPORT_USER_PW)
|
||||
.build();
|
||||
try (TransportClient client = transportClient(settings)) {
|
||||
boolean connected = awaitBusy(() -> {
|
||||
return client.connectedNodes().size() > 0;
|
||||
}, 5L, TimeUnit.SECONDS);
|
||||
|
||||
assertThat(connected, is(true));
|
||||
|
||||
// this checks that the transport client is really running in a limited state
|
||||
try {
|
||||
client.admin().cluster().prepareHealth().get();
|
||||
fail("the transport user should not be be able to get health!");
|
||||
} catch (ElasticsearchSecurityException e) {
|
||||
assertThat(e.toString(), containsString("unauthorized"));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTransportClientWithAdminUser() throws Exception {
|
||||
final boolean useTransportUser = randomBoolean();
|
||||
Settings settings = Settings.builder()
|
||||
.put("shield.user", useTransportUser ? TRANSPORT_USER_PW : ADMIN_USER_PW)
|
||||
.build();
|
||||
try (TransportClient client = transportClient(settings)) {
|
||||
boolean connected = awaitBusy(() -> {
|
||||
return client.connectedNodes().size() > 0;
|
||||
}, 5L, TimeUnit.SECONDS);
|
||||
|
||||
assertThat(connected, is(true));
|
||||
|
||||
// this checks that the transport client is really running in a limited state
|
||||
ClusterHealthResponse response;
|
||||
if (useTransportUser) {
|
||||
response = client.admin().cluster().prepareHealth().putHeader("Authorization", basicAuthHeaderValue("test_user", new SecuredString("changeme".toCharArray()))).get();
|
||||
} else {
|
||||
response = client.admin().cluster().prepareHealth().get();
|
||||
}
|
||||
|
||||
assertThat(response.isTimedOut(), is(false));
|
||||
}
|
||||
}
|
||||
|
||||
TransportClient transportClient(Settings extraSettings) {
|
||||
NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().get();
|
||||
NodeInfo[] nodes = nodeInfos.getNodes();
|
||||
assertTrue(nodes.length > 0);
|
||||
TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress();
|
||||
String clusterName = nodeInfos.getClusterNameAsString();
|
||||
|
||||
Settings settings = Settings.builder()
|
||||
.put(extraSettings)
|
||||
.put("cluster.name", clusterName)
|
||||
.build();
|
||||
|
||||
return TransportClient.builder().settings(settings).addPlugin(ShieldPlugin.class).build().addTransportAddress(publishAddress);
|
||||
}
|
||||
}
|
|
@ -21,18 +21,9 @@ user:
|
|||
# Defines the required permissions for transport clients
|
||||
transport_client:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/info
|
||||
#uncomment the following for sniffing
|
||||
#- cluster:monitor/state
|
||||
|
||||
# The required role for kibana 3 users
|
||||
kibana3:
|
||||
cluster: cluster:monitor/nodes/info
|
||||
indices:
|
||||
'*':
|
||||
privileges: indices:data/read/search, indices:data/read/get, indices:admin/get
|
||||
'kibana-int':
|
||||
privileges: indices:data/read/search, indices:data/read/get, indices:data/write/delete, indices:data/write/index, create_index
|
||||
- cluster:monitor/nodes/liveness
|
||||
#uncomment the following for sniffing
|
||||
#- cluster:monitor/state
|
||||
|
||||
# The required permissions for kibana 4 users.
|
||||
kibana4:
|
||||
|
@ -60,18 +51,3 @@ logstash:
|
|||
indices:
|
||||
'logstash-*':
|
||||
privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index
|
||||
|
||||
# Marvel role, allowing all operations
|
||||
# on the marvel indices
|
||||
marvel_user:
|
||||
cluster: cluster:monitor/nodes/info, cluster:admin/plugin/license/get
|
||||
indices:
|
||||
'.marvel-*':
|
||||
privileges: all
|
||||
|
||||
# Marvel Agent users
|
||||
marvel_agent:
|
||||
cluster: indices:admin/template/get, indices:admin/template/put
|
||||
indices:
|
||||
'.marvel-*':
|
||||
privileges: indices:data/write/bulk, create_index
|
||||
|
|
|
@ -34,7 +34,7 @@ The default role definitions in the `roles.yml` file may need to be changed to e
|
|||
applications such as Marvel and Kibana. Any role changes will be found in `roles.yml.new` after upgrading to the new
|
||||
version of Shield. We recommend copying the changes listed below to your `roles.yml` file.
|
||||
|
||||
* added[2.0.0-beta2] The permission on all the roles are updated to the verbose format to make it easer to enable field level and document level security.
|
||||
* added[2.0.0-beta2] The permission on all the roles are updated to the verbose format to make it easier to enable field level and document level security. `transport_client` role updated to work with Elasticsearch 2.0.0-beta2. `kibana3`, `marvel_user`, and `marvel_agent` roles removed.
|
||||
* added[1.1.0] `kibana4_server` role added that defines the minimum set of permissions necessary for the Kibana 4 server.
|
||||
* added[1.0.1] `kibana4` role updated to work with new features in Kibana 4 RC1
|
||||
|
||||
|
|
Loading…
Reference in New Issue